News

Recent Email Scams

Several popular email scams and threats are cycling through inboxes; this is a great time to review email security tips!

The first email we feature is the “sextortion email scam.” This email alerts you that your password has been stolen and that the attacker has gained access to your computer. The attacker also enters into a blackmail scheme and requests Bitcoin, claiming that he/she has evidence of pornography on your computer.

Has your password really been hacked? Yes.

Your password was likely compromised in a security breach (MyFitnessPal, Experian, DropBox, etc) and posted online. If the sextortion email mentions a specific password, and it was a password that you used, you should stop using that password on all websites.

Does the attacker have access to my computer? No.

How should I proceed? Delete the email. If a specific password was mentioned, stop using it immediately and never use it again. Visit: https://haveibeenpwned.com/ to check a registry of email addresses and passwords that have been hacked and posted online.

The second email is one we call “Fake Boss Requests.” In these emails, company executives appear to ask for assistance with bank transfers or purchasing gift cards.

When these emails hit your inbox, they really do look like they are from within the company at first glance. In most cases, another look at the email address/sender information reveals a mismatch, or the grammar/spelling within the email message may seem off.

Recently these requests have become more sophisticated, warning the employee to not call the boss to check-in, as the boss is too busy and needs the transaction completed quickly.

How should I proceed?

If an email request seems odd or out-of-character, personally contact the sender via phone or face-to-face to ask about the requested transaction. Replying via email is not acceptable, as you may be replying to the scammer’s email address and not the address of your coworker/company executive.

It is also a great time to develop and discuss policies and procedures for banking transactions and financial requests. Make sure that your bank/bankers also have a security protocol for money transfer requests.

Train your phone handlers to be good gate-keepers; don’t let phone handlers give out email addresses, cell phone numbers, titles or names unless they can validate the request for information. Many email scams start with a simple request for information, whether actually calling your office, scanning your website for contact information, or gathering a list of contacts from a professional membership database.

This article is also available in PDF form to download and share.

March 2019 SMB News

The March 2019 Edition of Business Solutions from ITS focuses on the approaching Windows 7 End-of-Support.

View online or download the PDF.

Do you recognize your version of Windows below? If you think you are running Windows 7, try these steps to confirm:

1. Click the Start button, enter “Computer” in the search box, right-click “Computer”, and thenclick “Properties”.

2. Look under Windows edition for the version and edition of Windows that your PC is running.

What Schools Need To Know About Momo And Other Online Threats

We have received several calls and emails to ask about Momo – How can we protect our students? What do we need to know?

This most recent round of Momo-related news has been categorized as a hoax by several reputable firms and thinkers. There is not currently an app or YouTube video using targeted children’s content and the MOMO image the threaten children. However, now that several news outlets and most of social media has shared warnings online, we face the risk of nefarious people taking advantage of the curiosity of parents and children and posting inappropriate content targeting the MOMO search keyword. We may also see fake social media profiles and gaming profiles pop-up, where users pose as MOMO or other scary characters and interact with users.

Like many, I personally spent a large chunk of time on Wednesday and Thursday this week reading articles, clicking links, watching Peppa Pig, and logging into gaming sites. I also visited some schools virtually and in-person to check web history and firewall traffic. If a child searches for Momo on the Internet, they will find images of Momo, will find haunting videos and will likely find the same Peppa Pig video that everyone has been sharing with the spliced content. Much of this content is the same content shared in multiple ways by news sources, school districts and public safety organizations attempting to alert parents and keep children safe.

The Momo Challenge first hit the news cycle in July of 2018 as a viral challenge that threatened harm if you told others that you had seen Momo or did not follow-through with requested actions. Multiple people portrayed Momo through the popular communication service WhatsApp. The viral nature encouraged people to “become” Momo and seek to threaten and scare others, while also encouraging younger children and teens to seek out interactions with Momo on social media.

Momo is not the first viral challenge, and will not be the last. Some viral challenges have been good, raising awareness and funds for specific causes like the “Ice Bucket Challenge.” Other challenges have encouraged children to perform dangerous tasks, run away for 48 hours, or bully others. It is important to discuss peer pressure in relation to viral challenges with our students. This was a good list of popular viral challenges:https://www.commonsensemedia.org/blog/viral-youtube-challenges-internet-stunts-popular-with-kids

Multiple Sources

We require students to use and cite multiple sources when doing research at school; why should parents, law enforcement, news outlets, and schools share safety warnings without first performing minimal research? Where should we check to find trustworthy opinions on cyber safety? Some sites we have used to cross-reference viral posts or learn more about online threats:

YouTube

It is also important to help children know how to report unsafe content and actions. When on YouTube, for example, users are asked to flag inappropriate content – the response is generally very quick! YouTube has also changed several policies in the past week to try and eliminate issues related to Momo and other inappropriate content that may be targeting children. You may see comments gone from some types of videos and may see that YouTube requires you to sign-in as proof of age.

Annonymous Reporting

Classrooms should have a procedure in place that allows students to report unsafe sites and unsafe content anonymously. We often hear reports that one student finds something online (at school, or brings from home on a personal device) and shows another student. The offended student is embarrassed and scared to report the incident with staff for fear of getting in trouble also. Students are more likely to report inappropriate sites and content, or gaming sites that waste educational time, if they can report annonymously.

Online Gaming

Children that play online games at home should know how to report inappropriate users or content, and should also be aware that community-generated games may not take action to remove reported content or users and it may be better to leave the game entirely. Many games also have built-in chat components; we always recommend that users do not use their real name or any personally identifying information in their username or chat sessions.

While the Momo Challenge news did not represent an actual threat at this time, online communities are always looking for new opportunities to engage and manipulate youth. Please, don’t hesitate to reach out if you are trying to block specific content, looking at YouTube account settings, or have general online safety questions for your school.

Hack Prevention and Cleanup

I recently attended a webinar on new cybersecurity threats, and watched a “live hack” as part of the learning session.

The hacker was a Certified Ethical Hacker (CEH) and Computer Hacking Forensic Investigator (CHFI); two certifications that we also hold in our office. The featured hacker works for a security firm that performs intrusion and penetration tests on networks and runs a phishing/social engineering training service.

The live hack took seven minutes from start to finish; we watched the hacker visit a company website to grab email addresses for specific roles within the company. The hacker sent an email to a random person on staff in order to receive a reply with a company signature line. He then created a spoofed email address, appearing to send a message from the CEO to various members of the sales team – included in that email was a copy of the signature line he had just received, to keep the email consistent with the company “look”. The email attachment contained an Excel file with macros and appeared to contain company data regarding sales for the end-of-the-quarter. After the hacker clicked send, it was only a matter of time before the sales staff received and opened the infected email.

As soon as the recipients clicked to enable macros, the hacker received backdoor entrance to their computers. While logged in, the hacker had several different options. He could remain hidden and use a key logger to collect usernames and passwords, he could install an encryption file and hold the recipients’ files ransom, he could begin using the computer to mine bitcoin or host bots and viruses, or he could try to reach across the domain to infect other computers on the network.

One click and seven minutes were all it took to seriously compromise the data, network, and users of this specific business. As we followed the hacker back to the beginning, he illustrated the clues the users should have seen to indicate that this was a phishing email and not real sales data. We could hover over the sender name and see that the address did not match the expected domain. We could have hovered over the links in the signature line and noticed that they were not live – that the signature line was a screenshot.

Many of the webinar attendees questioned why the virus-scan on the recipients’ machines did not block the infected file. The hacker showed us that the recipients were indeed using a virus scan, but a free version that was only comparing files to a known database. His infection was so new that the signature had not yet been listed in these virus databases. If the recipients had been using sandbox-based endpoint protection (antivirus), the file would have been opened in the cloud away from the physical computer and checked for behavioral characteristics before releasing the file for download.

What can clients do to protect themselves from sneakier and trickier cyber threats?

Endpoint Protection – Install an Antivirus and Antimalware software and make sure that you run updates as they become available and run scans on a regular schedule.
Firewall – This Intrusion Prevention device can close-off your network to uninvited internet traffic.
Train employees on how to spot and deal with phishing emails
Password Safety: use strong, unique passwords, use multi-factor authentication when possible, and use biometrics (facial or fingerprint scan) as an authentication tool.
Use productivity tools with built-in security, like Microsoft 365 Business

I have also attached a PDF that discusses several of these tools and policies in greater detail.

Leslie is Marketing Manager at ITS, with a background in K-6 Education. Leslie’s daughter recently attended a STEM career/experience day, and came home announcing that she was the “fastest hacker” – a sure sign that she does listen to her parents at home!

Mobile and IoT Threats

I recently presented to local 6th grade students on careers in STEM; as part of my presentation, I always like to include a little bit of privacy and IT security information. During our discussions, many of the students relay that they are the go-to IT provider at home – especially for “easy” setups like Amazon Alexa or Google Home. These users, in many cases, are also allowed to make their own choices regarding video game and app installation. After reading McAfee’s annual mobile threat report, it is clear that these areas (IoT setups and mobile apps) could be an easy way for cyber criminals to access your network and your devices. Make sure that your home and business devices are setup with a security-first mindset.

Read The Entire McAfee Mobile Threat Report

If you are looking for the highlights, I’ve listed the major threats and some protection advice below. The best protection method is to always think before clicking, whether installing an app or following a web link.

Hidden and Fake Apps

While Google Play and Apple’s iTunes/App Store have security guidelines in place for app developers, users are still vulnerable to fake or hidden apps on their mobile devices.

One method is for scammers to send a text message with an invitational link to download an app. This app may look like a legitimate banking app and the text may appear to be from a national banking chain, but the app may be specially designed to trick you into entering your banking credentials and other passwords. This threat is especially prevalent in the Android market. Take time to look up the app in the app store, read reviews and download statistics, and check the app description for grammatical errors or typos.

Popular games like Fortnite also create a flurry of fake apps and add-ons. As Epic (developer of the popular Fortnite game) moved the game outside of the Google Play store for Android users, opportunities developed for scammers to advertise their version of the Fortnite game. You should always download games and apps directly from the app store or game developer website.

Home (Invasion) Assistants

The McAfee report also indicates that many smart home assistants (Amazon Alexa, Google Home) are setup with minimal security settings. The password may be weak and insecure, the wireless network itself may be easy to hack, or failure to run firmware upgrades on your IoT devices might allow hackers to use known vulnerabilities.

As IoT device offerings continue to grow in the home-device market, it is important to do your research and make sure you are buying a product with a reputable security controls. An off-brand product may be taking advantage of explosive growth in the market to offer a cheaper product with little security oversight.

Tools that allow users to segment or subnet their home network are increasing in ease-of-use and availability. Most business networks will have some items in a subnet, to increase network efficiency and prevent open communication to specific types of devices/users.

Read The Manual

While your 12-year-old may be able to add devices to your wifi if you provide the username and password, there is often more to setup than just network access. Read through the installation manual, look online for an authorized support forum if you have questions, and make sure that you know how to check a log of activity on your device. Constant (network) connection also requires constant vigilance.

Leslie is Marketing Manager at ITS, with a background in K-6 Education. She enjoys designing classroom activities and presentations that help students develop an interest and awareness in IT Security.